Password policies are stupid

I have passwords for Google, Yahoo, Microsoft, WordPress, several applications, banks, and, hell, a ton more. And all of the policies for passwords are stupid. You can’t re-use one; some number of digits, alphabet both upper and lower case, and symbols; some sort of length; changing it some number of times per season; and on and on and on. I agree with these best practice changes for passwords.

I will note that Amazon seems to understand this. I have been using amazon since there was an Amazon. My password has never had to be changed and it isn’t overly burdened by dumb rules that make it look like this: c5(BnKw8TxqLnh8′

Related

12 Responses to “Password policies are stupid”

I use a password manager (iOS/mac OS default one works fine for me), or if I have to come up with one manually I use passwords generated on xkpasswd.net whenever possible. They have enough entropy but are relatively easy to remember. But also I use two factor authenication (using the Authy or Google Authenticator app, which are available on both iOS and Android). Authy even has an Apple Watch app so I never need to actually use the app on my phone.

i too use a password manager — KeePass, because it’s cross platform. its built-in password generator create garbage strings that couldn’t possibly be remembered, but i never even try, because i just copy and paste them in. most of my passwords i’ve never even seen.

and the password database itself is safeguarded with a combination password (the only one i bother remembering) and random-data key file, the latter of which is stored on a couple of USB sticks and has never touched the network. i consider this secure enough that i keep the (encrypted) password database in my dropbox folder, so i can get at it from my smartphone too.

I’ve had good luck with LastPass. It will store everything for you, it’s accessible from any internet-connected device (and offline, if you sync’d the database ahead of time), it handles two-factor authentication (for itself), and it will happily generate whatever kind of gibberish password your site requires.

Statistically, pretty much any 16 character password is pretty safe, as long as you don’t use too many repeats. XKCD had a great comic about it.

As an IT nerd, though, I have to enforce some password rules that are pretty asinine, because my users are even more asinine. We used to find passwords taped to monitors, even before we required scheduled changes. I had to set the “remember last six passwords” flag, because we had one guy that would change it, then change it back to his old one immediately. to get around that, he had a grad student change it 7 times when it would expire, so I had to turn on the minimum password age requirement as well.

I’ve issued smart cards to anyone with admin privileges, though, which mitigates complaints from anyone with the power to fire me.

This is only something that people who donít use use LastPass complain about. I taught Infosec at my company and LastPass was the single best thing we ever did there.

The others are fine too, KeePass, 1password, dashlane, etc, but having used all of them, LastPass is the winner, you literally canít mess it up and itís by default on all your devices.

Stop being dumb. Just move to LastPass. It doesnít matter if Amazon allowed ď1234Ē or forced a 20 char one time use, there is just no way you are secure using your stupid brain which will default to deritivites and re-use.

You should have a 16-20 char unique password for every site – and for the most part you shouldnít even know what they are.

writing a password down might not be the end of the world, as long as you keep the (only!) note it’s written on in your wallet. and as long as you don’t value the account that password protects any higher than any other one thing you’d lose if your wallet got stolen. after all, it’s not like you wouldn’t have to take some emergency recovery actions if you lost all that other stuff you keep in there.

password managers tend to work on the “all your eggs in this really heavily armored basket” principle, and encrypt their database six ways to sunday. which is good enough for me.

Unless you know of a way to carry secure paper and quickly access what you need to – a password manager is the only way to go. LastPass in particular has excellent security when used with a 2FA process like Duo.